tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Morelock <subscripti...@phillipmorelock.com>
Subject Re: Security problem?
Date Fri, 07 Jun 2002 08:52:00 GMT
On 6/7/02 1:47 AM, "Laura" <lauradiara@libero.it> wrote:

> Hi all,
> 
> it might be that I have a security problem and you should tell me if I am
> right. 
> Well, I have a server with an ecommerce application: an user can buy
> something a when he has to pay the servlet of the web application executes a
> redirect to my servlet (in a different server) passing me the sum of money
> that the user has to pay.
> 
> Could the user change the sum of money?

Yes.  I mean, yes I think so -- but you haven't described the redirect.

>Is redirect secure?

No.  A redirect is literally that.  It "redirects" the client to send its
request to a different server/page/whatever.  This means a cracker could
simply set up a system whereby they don't respond to redirects.  Instead,
they take the information that should be redirected and they alter it in
some way, and then just send a request to your second server.

To see a redirect in action, telnet to your webserver's port and request a
page that uses a redirect.  All it says is "content moved", a response code,
and the "new location" of the content.  The client at this point normally
sends the same request to the new location.  If I am wrong here, someone
please correct me.
 
> What do you think?

Bad idea.
 
> If yes how I can solve the problem?

Dunno how you can do it this way without security problems.  If you're not
keeping track of state, you are in trouble.  Clients cannot be trusted.
 
> Thanks for your help
> 
> Laura
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message